Exploitation of vulnerabilities
and circumvention of security mechanisms

This complete methodology is relevant to Internet-based networks
being tested in a blind fashion with limited target information (such
as a single DNS domain name). If a consultant is enlisted to assess a
specific block of IP space, he skips initial network enumeration and
commences bulk network scanning and investigation of vulnerabilities.

1.5.1 Internet Host and Network Enumeration

Publicly available
reconnaissance
techniques, including web
and newsgroup searches,
Network
Information Center (NIC) WHOIS querying, and Domain
Name System (DNS) probing, are used to collect data about the
structure of the target network from the Internet without
actually scanning the network or necessarily probing it
directly.

Initial reconnaissance is very important because it identifies hosts
that aren't properly fortified from attack. A
determined attacker invests time in
identifying peripheral networks and hosts, while companies and
organizations concentrate their efforts on securing obvious public
systems (such as public web and mail servers) but neglecting hosts
and networks that lay off the beaten track.

It may well be the case that a determined attacker also enumerates
networks of third party suppliers and business partners that, in
turn, have access to the target network space. Nowadays such third
parties often have dedicated links into areas of internal corporate
network space through VPN tunnels and other links.

This information is then used to perform structured
bulk network scanning and probing
exercises to assess further the target network space and investigate
potential vulnerabilities. Further reconnaissance involves extracting
user details (including email addresses), telephone numbers, and
office addresses.

1.5.2 Bulk Network Scanning and Probing

After identifying public IP network blocks that are related to the
target network space, analysts should carry out bulk TCP, UDP, and
ICMP network scanning and probing to identify active hosts and
accessible network services (e.g., HTTP, FTP, SMTP, POP3, etc.), that
can in turn be abused to gain access to trusted network space.

Key pieces of information that are gathered through bulk network
scanning include details of accessible hosts and their TCP and UDP
network services, along with peripheral information such as details
of ICMP messages to which target hosts respond, and insight into
firewall or host-based filtering policies.

After gaining insight into accessible hosts and network services,
analysts can begin offline analysis of the bulk results and
investigate the latest vulnerabilities in accessible network
services.

1.5.3 Investigation of Vulnerabilities

New
vulnerabilities in network services are
disclosed daily to the security community and underground alike,
through Internet mailing lists and public forums including
Internet Relay Chat (IRC).
Proof-of-concept tools are often published for use by security
consultants, whereas full-blown exploits are increasingly retained by
hackers and not publicly disclosed in this fashion.

Here are five web sites that are
extremely useful for investigating
potential vulnerabilities within network services:

SecurityFocus
(http://www.securityfocus.com)

Packet Storm
(http://www.packetstormsecurity.org)

CERT vulnerability notes (http://www.kb.cert.org/vuls/)

MITRE Corporation
CVE (http://cve.mitre.org)

ISS X-Force
(http://xforce.iss.net)

SecurityFocus hosts many useful mailing lists including
BugTraq, Vuln-Dev,
and
Pen-Test. These can be subscribed to by email, and
archived posts can be browsed through the web site. Due to the sheer
number of posts through these lists, I personally browse the
mailing-list archives only every couple of days.

Packet Storm actively archives underground exploit scripts, code, and
other files. If you are in search of the latest public tools to
compromise vulnerable services, Packet Storm is a good place to
start. Often, SecurityFocus provides only proof-of-concept or old
exploit scripts that aren't effective in some cases.

Lately, Packet Storm has not been updated as much as it could be, so
I increasingly browse databases such as the MITRE Corporation Common
Vulnerabilities and Exposures (CVE), ISS X-Force, and CERT
vulnerability notes lists. These lists allow for effective collation
and research of all publicly known vulnerabilities so that exploit
scripts can be located or built from scratch.

Investigation at this stage may also mean further qualification of
vulnerabilities. Often it is the case that bulk network scanning
doesn't give detailed insight into service
configuration and certain enabled options, so a degree of manual
testing against key hosts is often carried out within this
investigation phase.

Key pieces of information that are gathered through investigation
include technical details of potential vulnerabilities along with
tools and scripts to qualify and exploit the vulnerabilities present.

1.5.4 Exploitation of Vulnerabilities

Upon qualifying potential
vulnerabilities in accessible network
services to a degree that it's probable that exploit
scripts and tools will work correctly, attacking and exploiting the
host is the next step. There's not really a lot to
say about exploitation at a high level, except that by exploiting a
vulnerability in a network service and gaining unauthorized access to
a host, an attacker breaks computer misuse laws in most countries
(including the United Kingdom, United States, and many others).
Depending on the goal of the attacker, she can pursue many different
routes through internal networks, although after compromising a host,
she usually undertakes the following:

Gain superuser privileges on the host

Download and crack encrypted user-password hashes (the SAM database
under Windows and the /etc/shadow file under
most Unix-based environments)

Modify logs and install a suitable backdoor to retain access to the
host

Upload and use tools (network scanners, sniffers, and exploit
scripts) to compromise other networked hosts

This book covers a number of specific vulnerabilities in detail but
leaves cracking and pilfering techniques (deleting logs, installing
back doors, sniffers and other tools) to the countless number of
hacking books available. By providing you with technical information
related to network and application vulnerabilities, you will be able
to formulate effective countermeasures and risk-mitigation
strategies.